Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Operator Logs As stated previously, all activities should be logged accurately and concisely. At a minimum, the following information must be collected and logged for each action performed: ● Start Timestamp (UTC Recommended) ● End Timestamp (UTC Recommended) ● Source IP (Attack/Test System IP address) ● Source Hostname ● Destination IP (Target IP Address) ● Destination Hostname ● Destination Port (Target Port) ● Destination System Name ● Pivot IP (if applicable, list IP of any system used as a pivot, port forwarder, etc.) ● Pivot Hostname ● Pivot Ports (if applicable, list send and receive ports leveraged in pivot system) ● URL (Note, it is important to capture the FULL URL of the Target instance) ● Tool/Application ● Action (What activity or action was performed) ● Command (Full command) ● Output (Command output or response) ● Description (why or for what purpose was the action was performed) ● Result (Success, Failed, Achieved, etc.) ● System Modification (Modified file, dropped binary location, enabled functions, etc.) ● Comments ● Screenshot (Filename of screenshot) ● Operator Name Remember: When creating log entries, documenting actions, uploading/downloading files, dropping binaries, etc. It is beneficial to record using the YYYYMMDD_HHMM_IP_Description format. Examples: ● Start Timestamp Target Action ○ 20170308_151801 ● Screenshot of Nmap port 445 ○ 20170308_1518_10.10.1.106_nmap445.png ● Screenshot of open smb share ○ 20170308_1519_10.10.1.106_smb_share.png Screenshot of password file ○ 20170308_1525_10.10.1.106_smb_share_passwords.txt Detailed logs provide a snapshot of where an operator is during an engagement and can be used to derive the status of an engagement as a whole. This type of information is critical to tracing steps throughout an engagement to properly manage, resolve deconfliction requests, and ensure data is available to produce a quality deliverable or report. Logs should contain all major steps that provide the who, what, when, where, why, and how of an action or series of actions. In addition to a text log, a screenshot is an excellent way to visualize an action. Once an engagement is complete, logs are all that remain. The quality of an engagement is directly related to the quality of the logs. Download 4.62 Mb. Share with your friends:
|